Linux Kernel ext4 Residual Data Handling Leads to Infinite Loop Vulnerability

A vulnerability in the ext4 file system of the Linux kernel can cause infinite loops and prolonged blocking of operations. This issue arises during the mkdir or mknod processes when logical blocks are mapped to physical blocks. If the insertion of a new extent into the extent tree fails—such as when the file system disables the huge file feature while the inode is marked dirty—the function ext4_ext_map_blocks() reclaims the physical block but fails to remove the corresponding data from the extent tree. As a result, subsequent mkdir operations may reference the reclaimed physical block number, which can conflict with xattr block usage, leading to both the directory and xattr sharing the same buffer head block in memory. This situation causes the function ext4_xattr_block_set() to enter an infinite loop, unable to release the inode lock, and can disrupt metadata consistency, especially if the EXT4_GET_BLOCKS_DELALLOC_RESERVE option was used.

Impact

The vulnerability causes a deadlock by blocking operations for over 143 seconds, as reported by the syzbot fuzzing tool.

Reproduction

The vulnerability can be reproduced by creating a directory or node while the ext4 file system has the huge file feature disabled. This can be done by marking an inode as dirty and then attempting to insert a new extent, which will fail and trigger the vulnerability. The physical block reclamation process will then reference a block already in use by the xattr, creating a conflict that leads to the infinite loop.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.